PHPackages vartroth/php-security-lint - PHPackages - PHPackages [Skip to content](#main-content)[PHPackages](/)[Directory](/)[Categories](/categories)[Trending](/trending)[Leaderboard](/leaderboard)[Changelog](/changelog)[Analyze](/analyze)[Collections](/collections)[Log in](/login)[Sign up](/register) 1. [Directory](/) 2. / 3. [Security](/categories/security) 4. / 5. vartroth/php-security-lint ActiveLibrary[Security](/categories/security) vartroth/php-security-lint ========================== A PHP security linter to detect insecure functions like var\_dump, print\_r, and other dangerous functions in your codebase 0.1.0(11mo ago)01301MITPHPPHP >=8.1 Since Jun 12Pushed 11mo agoCompare [ Source](https://github.com/Vartroth/php-security-lint)[ Packagist](https://packagist.org/packages/vartroth/php-security-lint)[ Docs](https://github.com/vartroth/php-security-lint)[ RSS](/packages/vartroth-php-security-lint/feed)WikiDiscussions master Synced 1mo ago READMEChangelogDependencies (4)Versions (2)Used By (1) PHP Security Lint ================= [](#php-security-lint) A comprehensive PHP security linter designed to detect insecure functions and potential security vulnerabilities in your PHP codebase. Similar to `php-parallel-lint/php-var-dump-check` but with extended coverage for various security-related functions. Features -------- [](#features) - **Comprehensive Detection**: Identifies debug functions (`var_dump`, `print_r`), and more - **Multiple Output Formats**: Text, JSON, and table formats for different use cases - **Flexible Configuration**: Customizable exclude patterns and strict mode - **Severity Levels**: Categorizes violations by risk level (high, medium, low) - **CI/CD Integration**: Perfect for automated security checks in your pipeline Installation ------------ [](#installation) ### Via Composer (Recommended) [](#via-composer-recommended) ``` composer require --dev vartroth/php-security-lint ``` ### Global Installation [](#global-installation) ``` composer global require vartroth/php-security-lint ``` Usage ----- [](#usage) ### Basic Usage [](#basic-usage) ``` # Scan a directory ./vendor/bin/php-security-lint /path/to/your/project # Scan a single file ./vendor/bin/php-security-lint /path/to/file.php ``` ### Advanced Usage [](#advanced-usage) ``` # Use table format ./vendor/bin/php-security-lint --format=table /path/to/project # JSON output for CI/CD integration ./vendor/bin/php-security-lint --format=json /path/to/project # Exclude specific patterns ./vendor/bin/php-security-lint --exclude="*/vendor/*" --exclude="*/tests/*" /path/to/project # Strict mode (treat all findings as errors) ./vendor/bin/php-security-lint --strict /path/to/project # Disable progress output ./vendor/bin/php-security-lint --no-progress /path/to/project ``` Detected Functions ------------------ [](#detected-functions) ### Debug Functions (Medium Risk) [](#debug-functions-medium-risk) - `var_dump()` - Debug output that shouldn't be in production - `print_r()` - Debug output that shouldn't be in production - `var_export()` - Debug output that shouldn't be in production - `debug_print_backtrace()` - Debug function - `debug_backtrace()` - Debug function - `phpinfo()` - Information disclosure risk ### Execution functions (Hight Risk) [](#execution-functions-hight-risk) - `unserialize()` - 'Potentially dangerous function - use with caution', - `eval()` - 'Dangerous function - can execute arbitrary code', - `shell_exec()` - 'Dangerous function - can execute shell commands', - `system()` - 'Dangerous function - can execute system commands', - `passthru()` - 'Dangerous function - can execute system commands', ### Database Functions (Low Risk) [](#database-functions-low-risk) - `mysql_query()` - Deprecated function - `mysqli_query()` - Raw queries (use prepared statements) ### Other Functions [](#other-functions) - `echo()` - Output (ensure proper escaping) - `print()` - Output (ensure proper escaping) - `printf()` - Output (ensure proper escaping) Configuration ------------- [](#configuration) ### Exclude Patterns [](#exclude-patterns) By default, the following patterns are excluded: - `*/vendor/*` - `*/node_modules/*` - `*/tests/*` - `*/test/*` You can customize exclude patterns using the `--exclude` option: ``` ./vendor/bin/php-security-lint --exclude="*/cache/*" --exclude="*/temp/*" /path/to/project ``` ### Programmatic Usage [](#programmatic-usage) ```